-
-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
caddytls: add TLS 1.3 support #2399
Conversation
Nice, thanks for jumping on this. (Realizing that, of course, this is a temporary solution, as once Go 1.12 is released, we can just update it in-place.) While we're at it, can we remove the CBC ciphers from the defaultCiphers lists? I think we should take this opportunity to modernize Caddy's TLS config to be up to snuff with the latest: TLS 1.2 and 1.3. |
I tested this on SSL Labs. The result is https://www.ssllabs.com/ssltest/analyze.html?d=tw.crvv.me&hideResults=on With Let's Encrypt RSA certificates, the failed clients are Is that OK? |
I do not think this should be an issue.
|
We definitely should add TLS 1.3 cipher suites 😄 |
@elcore |
Oh... Thank you! |
412ef95
to
fe52358
Compare
Is there an ETA on this? |
To use Caddy with TLS 1.3 today, go ahead and build from @crvv's branch -- and when Go 1.12 comes out next month, this PR should be updated to make TLS 1.3 the default (without the build constraint which it currently has), and then we'll merge in the PR. |
@crvv Will we need to set an env variable to enable TLS 1.3 by default? golang/go#30055 |
We need to set that. |
@crvv Great! Looks like a doc change will be merged, and I'm good with it if we include that Setenv in this PR to enable it by default. |
Made some tests today, compiling caddy with go1.12rc1 and this patch. Switched then back to go1.12beta2 and applied the same patch and boom, TLS 1.3 works again... Wonder where that comes from. |
@henrocker I think it's because rc1 now requires an environment variable to be set. See the issue I linked to in a comment above. Would love it if you could help figure out if that's what is needed! |
Thanks for pointing me out. Gonna do some further tests tomorrow and will report back if the envvar fixes this. Thanks |
35345c3
to
9436e12
Compare
Applied patch and built Caddy with go1.12rc1:
Command to run Caddy:
TLS1.3 works! :-) When running caddy without the GODEBUG var, then TLS1.2 is served |
@henrocker Any chance we can set that env var in code instead of the user having to do it? |
Maybe something like golang/go#30055 (comment) could be done, but since my understanding in golang is limited, I'm afraid I can only do some tests, if there's something new to try out. |
@@ -34,6 +34,9 @@ import ( | |||
) | |||
|
|||
func init() { | |||
// opt-in TLS 1.3 for Go1.12 | |||
os.Setenv("GODEBUG", os.Getenv("GODEBUG")+",tls13=1") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@henrocker @mholt
I have added this env in code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Excellent!
Can we put a TODO in the comment so we remember to revisit this later (i.e. after Go 1.13)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I have added the TODO.
Go 1.12 is released; just waiting for CI systems to pick up the new version. |
AppVeyor is refusing to pick up the merge that upgrades to Go 1.12, but the tests on Travis are passing, so I'm merging this sucker. Thanks everyone!! How exciting. |
tls1.0 and tls1.1 is no longer available? I use this config but only tls1.2 and tls1.3 are supported, since this commit... |
The documentation does state that "Supported protocols and default protocol versions may be changed at any time", but if that's the case, it should be updated at the next opportunity to reflect the current available protocols. |
TLS 1.0 and 1.1 are supported but not enabled by default, you have to enable those manually, but I highly, highly, strongly, super duper discourage that. (That didn't change with this commit. It has been that way for well over a year.) |
Oh, I see what you mean. Hmm. Can you open a new issue please? |
With this PR, there are only AEAD ciphers in the default cipher suites. If you want TLS 1.0 and 1.1, you must specify cipher suites you want in the Caddyfile. |
Annnd we have a winner, totally forgot about that. 😅 That would probably be the reason! Thanks @crvv. |
1. What does this change do, exactly?
add TLS 1.3
2. Please link to the relevant issues.
#2080
3. Which documentation changes (if any) need to be made because of this PR?
https://caddyserver.com/docs/tls
4. Checklist
If caddy should be able to be built by Go 1.11 after the releasing of 1.12, I think this PR can be accepted now.
If not, the new file with build tag "go1.12" is useless and the change can be applied to config.go directly when Go 1.12 is released.